Michal Remper, CCIE#8151 Systems Engineerpalo/Rozne/cisco-expo/2006/... · Best Practices for LEAP...
Transcript of Michal Remper, CCIE#8151 Systems Engineerpalo/Rozne/cisco-expo/2006/... · Best Practices for LEAP...
1© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Wireless Campus Network Security
Michal Remper, CCIE#8151Systems [email protected]
222© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Agenda
• WLAN Security Overview
• WLAN Security Vulnerabilities and Threats
• WLAN Security Authentication and Encryption
• Centralized Wireless Deployment
• Wireless IDS
• Summary
333© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Hackers
Why WLAN Security Is Important?
• Do not rely on basic WEP encryption; Requirement for Enterprise class Security (WPA, EAP/802.1x protocols, Wireless IDS, VLANs/SSIDs, etc)
• Employees will install WLAN equipment on their own (compromises security of your entire network)
Out of the box configuration of APs: All security features are disabled!
• Business impact due to stolen data: Potential financial and legal consequences (Laws to protect data confidentiality; Example: Healthcare)
Lessons:Lessons:“War Driving”
Vulnerabilities:Vulnerabilities: Employees
444© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WLAN Security Vulnerabilities and Threats
• Different forms of Vulnerabilities and Threats ExistEncryption Vulnerabilities: WEP
Authentication Vulnerabilities: Shared-Key authentication, Dictionary attacks, and MITM attacks
WLAN Sniffing and SSID Broadcasting
Address Spoofing: Mac-address spoofing and IP address spoofing (both hostile/outsider attacks as well as insider attacks)
Misconfigured APs and Clients
Denial of Service (DoS) attacks: Using 802.11 deauthentication/ disassociation frames, RF jamming, etc.
555© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WEP Vulnerabilities
• 802.11 Static-WEP is flawed: Passive AttacksRC4 Key Scheduling algorithm uses 24-bit Initialization Vector (IV) and does not rotate encryption keys
Practical tools that have implemented FMS attack (Example: AirSnort) can uncover the WEP key after capturing 1,000,000 packets
This is about ~17 minutes to compromise the WEP key in a busy network!
This attack is passive and all the attack tool needs to do is “listen” to the WLAN network (i.e. sniff WLAN packets)
• 802.11 Static-WEP is flawed: Active AttacksDoes not protect the WLAN user data integrity
Several Forms of Attacks possible: Replay Attacks, Bit-Flipping attacks, etc.
666© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Authentication Vulnerabilities
• Shared Key Authentication is flawed!AP challenges (plaintext challenge) the WLAN user to ensure possession of valid encryption keyAttacker can obtain key stream plaintext challenge XORciphertext = Key StreamNot recommended for deployment!
• Dictionary AttacksOn-line (active) attacks: Active attack to compromise passwords or pass-phrasesOff-line attacks: Passive attack to compromise passwords or pass-phrases
• MITM AttacksActive attacks where the attacker inserts himself in the middle of authentication sequence
777© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
What is a Dictionary Attack Tool?
• What is a dictionary?Contains variations of passwords
Weak passwords can be cracked using standard dictionaries (found easily in various Internet discussion forums and web sites)
• Success factors for this tool depend on:Variation of the user’s password is found in the dictionary used by the attacker
Attacker’s experience and knowledge in generating dictionaries
Password Strength
A weak six character password will be easily compromised compared to a strong ten letter password
Attacker’s dictionary strength determines whether the password can be compromised
888© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LEAP: Off-line Dictionary Attack
• Cisco LEAP is based on MS-CHAP architectureNo “salt” is used (along with NT hash) in challenge/response (i.e. encryption process is not “randomized”)Weak DES Key selection in challenge/responseUsername sent in the clear
• Off-line (passive) dictionary attacks are possible:Assumptions:Attacker needs to be in the vicinity of your building (Sniff clear-text EAP message exchange)Attacker is knowledgeable to carry out advanced dictionary attacks
Can compile/customize penetration tool(s) and experience in carrying out dictionary attacks
• Off-line dictionary attack depends on a few variables:Password Policy Processing power available to the Attacker Efficiency of the attacker’s algorithm
999© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Man-in-the-Middle Exploits
• Man-in-the-Middle Exploits are attacks by which the attacker poses as the network to clients and as a client to network
Attacker attempts to obtain security credentials or security key by intercepting credentials
Wireless Station
Access Point
MiTM Attacker
EAP ServerEAP re
questEAP reply
EAPOL key
101010© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
MiTM Exploits
• Current implementations have some MiTM vulnerabilityEAP-FAST is considered vulnerable to MiTM ONLY during authentication phase
PEAP is considered vulnerable to MiTM if the client accepts the same EAP transaction type inside and outside the tunnel
• Defenses against MiTM exploitsIn order to mount a Man-in-the-Middle exploit, you must pose as a valid infrastructure network
Easily detected/contained with common rogue AP detection mechanisms
Cryptographic binding of authentication exchanges- EAP-FAST, PEAPv2-mitigate MiTM risks
Note: Problem with potential MiTM attacks is described in PEAP v2 IETF Draft documenthttp://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-10.txt
111111© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WLAN Sniffing and SSID Broadcasting
Disabling SSID Broadcast should not be considered a security mechanism- Potential attackers can uncover your SSID by
observing probe responses!
121212© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Address Spoofing
• MAC address and IP address spoofing possible in WLAN Networks
• Outsider (hostile) attack scenarioIP Address spoofing is NOT possible if Encryption is turned on (DHCP messages are encrypted between the client and the AP)
MAC Address spoofing alone (i.e. without IP Address spoofing) may not buy much if encryption is turned on
• Insider attack scenario:MAC address and IP Address spoofing will NOT succeed if EAP/802.1x Authentication is used (Unique encryption key is derived per user (i.e. per MAC address))
Access Point
Authorized Client
Sniff Client MAC Addr & IP Address
Inject Packets into the WLAN network using Client’s MAC/IP Address
131313© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Who Installs Rogue APs?—“Focus on the Frustrated Insider”
Frustrated insider• User that installs wireless AP in order to benefit from
increased efficiency and convenience it offers• Common because of wide availability of
low cost APs• Usually ignorant of AP security configuration, default
configuration most common
Malicious hacker • Penetrates physical security specifically to
install a rogue AP• Can customize AP to hide it from detection tools• Hard to detect—more effective to prevent via 802.1x and
physical security• More likely to install LINUX box than an AP
Jones from Accounting
>99.9% of Rogue APs
<.1% of Rogue APs
141414© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Denial of Service (DoS) Attacks
• RF JammingA simple RF Jamming Transmitter (Example: Microwave or codeless phone next to an AP)
• DoS attacks using 802.11 management frames802.11 management frames are NOT authenticated between the AP and the clients
Anyone can spoof a client’s MAC address and send an 802.11 management frame on behalf of that client
• 802.1x Authentication FloodingAn attacker can send a flood of 802.1x authentication requests to the AP
This causes the AP to process unnecessary authentication frames
151515© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Basic Requirements to Secure Wireless LANs
• Encryption algorithmMechanism to provide data privacy
• Message integrityEnsures data frames are tamper free and truly originate from the source address
• Authentication frameworkFramework to facilitate authentication messages between clients, access point, and AAA server
• Authentication algorithmMechanism to validate client credentials
161616© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Encryption and Data PrivacyEncryption and Data Privacy
Authentication, Authorization, and Access Control
Authentication, Authorization, and Access Control
Encryption Algorithm
Message Integrity
Authentication Algorithm
Authentication Framework
TKIP-PPK or AES-CCM
TKIP-MIC or AES-CBC-MAC
802.1X/EAP LEAP, PEAP, or EAP-FAST
Basic Requirements to Secure Wireless LANs
171717© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Wireless LAN Security Authentication and Encryption
• Technologies to Secure Wireless LANsEAP/802.1x Authentication Protocols
Data Encryption & Message Integrity: WPA, CKIP, WPA2
• EAP/802.1x with WPA/WPA2 Deployment Considerations
EAP Supplicant Availability
181818© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.1X Authentication Overview
• IEEE 802.11 Task Group i recommendation for WLAN authentication
• Supported by Cisco since December 2000
• Extensible and Interoperable – Supports:Different EAP authentication methods or types
New encryption algorithms, including AES as a replacement for RC4
• Key benefitsMutual authentication between client and authentication (RADIUS) server
Encryption keys derived after authentication
Centralized policy control, where session timeout triggers reauthentication and new key
client
AP
RADIUSserver
ExtensibleAuthenticationProtocol (EAP)
RADIUS
userdatabase
191919© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
How does Extensible Authentication Protocol (EAP) authenticate clients?
Client associates CorporateNetwork
WLAN Client Access Point RADIUS server
Cannot send data until… Data from client Blocked by AP
…EAP authentication complete
802.1x RADIUS
EAP
Client sends data Data from client Passed by AP
202020© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LEAP
• Client SupportWindows 95-XP, Windows CE, Macintosh OS 9.X & 10.X, and Linux
• RADIUS ServerCisco ACS and Cisco AR
Local RADIUS on AP (12.2(13)) and ISR (12.3(11))
Funk Steel Belted Radius or Odyssey server products
Interlink Merit
• Microsoft Domain or Active Directory database (optional) for back end authentication
• Device SupportWorkgroup Bridges (WGB 340 and 350)
Bridges (BR350, BR1400, and BR1300 series)
Cisco 2000 and 4000 Series controllers
212121© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LEAP Authentication
AccessPointClient RADIUS
ServerNT/AD
ControllerStart
IdentityIdentityRADIUS Server Authenticates Client
Request Identity
Client Authenticates RADIUS Server
AP Blocks all Requests until Authentication Completes
Key Management
Protected Data Session
WPA or CCKM Key Management used
ClientAuthentication
ClientAuthentication
ServerAuthentication
ServerAuthentication
Derivekey
Derivekey
222222© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Best Practices for LEAP Deployment
• On-line Dictionary AttacksUse policies on the RADIUS server to lockout a user after X number of login failures
Authentication failures may also be alarmed and client 802.11 exclusion may be possible
• Off-line Dictionary AttacksUse Strong Password Policy (Minimum 10 character password)
Possible Methods to overcome “human limitation” for strong password policy
Separate MSFT AD User Account & Password for Wireless Access (i.e. WLAN authentication is decoupled form MSFT AD authentication)
Administrator should generate strong password for WLAN authentication for each user
WLAN authentication user-id and strong password securely stored on the device
232323© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Best Practices for LEAP Deployment
• Example Strong Password PolicyPassword should be minimum of twelve charactersNote: At least minimum of ten characters recommended for strong password policyhttp://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtmlhttp://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.htmlA mixture of uppercase and lowercase lettersAt least one numeric character (0-9) or Non-alphanumeric characters (example: !#@&)No form of the user's name or user IDA word that is not found in the dictionary (domestic or foreign)Randomly generated passwords
• Example passwords to match the above policyW1r3l3ss1sG00d (as in “WirelessisGood”)N3tw0rk3rsR0cks (as in “NetworkersRocks”)
242424© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP-FAST – Simple, Versatile, and Secure
EAP-TLS
PEAP-GTC
PEAP-MSCHAPv2
EAP-TTLS
AAA
EAP-FAST tunnelOTP
MSCHAPv2 CertsUID/PW
• Strong authentication without the burden of cert management• Simple to deploy• Open standard, on the path to RFC
http://www.ietf.org/internet-drafts/draft-cam-winget-eap-fast-00.txt• Robust Support
Fast Roaming (CCKM)IOS Local AuthenticationCisco NAC
• EAP-FAST establishes an encrypted tunnel between the client and the AAA server
The client and AAA can then securely use any credentials within the tunnelClient stacks from Funk and MeetinghouseCCXv4 includes support for EAP-FAST
252525© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
PAC key =
PAC-Opaque:
PAC High Level Description - Creation
PAC-Info: A-ID
...
Server (A-ID) maintains a local key (Master-Key) which only the server knows. Master-Key =
When a client I-ID requests a PAC from the server, it generates a randomly unique PAC key andPAC-Opaque field for this client.
The PAC-Opaque field contains the randomly generated PAC-Key along with other information such as user identity (I-ID) and key lifetime.
A PAC consists from PAC-Opaque, PAC-Key and also PAC-Info.
PAC Key, I-ID and Lifetime in PAC Opaque field are encrypted with Master-Key.
PAC
It also creates a PAC-Info field which contains the Authority Identity (A-ID).
PAC-Key I-ID lifetime...
PAC-Key =
Server (A-ID)Client (I-ID)
262626© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
PAC key =
PAC-Opaque:
PAC-Info: A-ID
...
PAC
PAC-Key I-ID lifetime...
PAC-Key =
PAC key =
PAC-Opaque:
PAC-Info: A-ID
...
PAC
PAC-Key I-ID lifetime...
PAC-Key =
PAC High Level Description - Creation
Server forgets PAC.
PAC-Opaque, PAC-Key and also PAC-Info are returned to the client as the PAC.
Server (A-ID)Client (I-ID)
Master-Key =
272727© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
PAC-Opaque: PAC-Key I-ID lifetime...
PAC-Key =
PAC-Opaque: PAC-Key I-ID lifetime...
PAC-Key =
PAC High Level Description – Establish TLS
PAC key =
PAC-Info: A-ID
...
PAC
Server (A-ID)Client (I-ID) If EAP-FAST session starts, server sends it’s A-ID in EAP-FAST start packet.
A-ID
Client returns PAC-Opaque to server.
Client selects PAC based on A-ID.
Master-Key =
282828© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
PAC-Opaque:
PAC High Level Description – Establish TLS
If EAP-FAST session starts, server sends it’s A-ID in EAP-FAST start packet
PAC key =
PAC-Info: A-ID
...
PAC
PAC-Opaque: PAC-Key I-ID lifetime...
PAC-Key = PAC-Key I-ID lifetime...
PAC-Key =Server decrypts PAC- Key, I-ID and lifetime in PAC-Opaque using Master Key.Now server and client possess the PAC key (as shared secret) to establish TLS tunnel.
Server (A-ID)Client (I-ID)
A-ID
Client returns PAC-Opaque to server
Client selects PAC based on A-ID
Master-Key =
292929© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP-FAST Authentication
AccessPointClient RADIUS
ServerStart
IdentityIdentityRequest Identity
Server Authenticates Client
AP Blocks all Requests Until
Authentication Completes
ClientAuthentication
ClientAuthentication
PAC-Opaque PAC-Opaque
External User DB
Establish a Secure Tunnel (PAC & TLS)
Server Authentication
Server Authentication
Key Management
Protected Data Session
WPA or CCKM Key Management used
A-IDA-ID
303030© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP-TLS
• Client SupportWindows 2000, XP, and Windows CE (natively supported)
Non-Windows platforms: Third-Party supplicants (Meetinghouse and Funk)
Each client requires a user certificate
• Infrastructure RequirementsEAP-TLS supported RADIUS server
Cisco ACS, Cisco AR, MS IAS, Funk, Interlink
RADIUS server requires a server certificate
Certificate Authority Server (PKI Infrastructure)
• Certificate ManagementBoth client and RADIUS server certificates to be managed
313131© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Server Certificate Server Certificate
EAP-TLS Authentication
AccessPointClient RADIUS
ServerCertificateAuthority
Start
IdentityIdentity
Request IdentityAP Blocks all Requests until
Authentication Completes
Client Certificate Client Certificate
Random Session Keys GeneratedEncrypted ExchangeEncrypted Exchange
Key Management
Protected Data Session
WPA Key Management used
ServerAuthentication
ServerAuthentication
ClientAuthentication
ClientAuthentication
323232© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP-PEAP
• Hybrid Authentication MethodServer side authentication with TLSClient side authentication with EAP authentication types (EAP-GTC, EAP-MSCHAPv2, etc)
• Clients do not require certificatesSimplifies end user/device management
• RADIUS server requires a server certificateRADIUS server self-issuing certificate capabilityPurchase a server certificate per server from public PKI entitySetup a simple PKI server to issue server certificates
• Allows for one way authentication types to be usedOne Time PasswordsProxy to LDAP, Unix, NT/AD, Kerberos, etc
333333© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP-PEAP Authentication
AccessPointClient RADIUS
ServerStart
IdentityIdentityRequest Identity
AP Blocks all Requests until
Authentication Completes
EAP in EAP AuthenticationClient
AuthenticationClient
Authentication
External User DB
Key Management
Protected Data Session
WPA Key Management used
Server Certificate Server Certificate
Encrypted Tunnel Established
ServerAuthentication
ServerAuthentication Pre-Master Secret Pre-Master Secret
343434© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
PEAP v2
• Protection from Man-in-the-Middle exploitsCryptographic binding of EAP exchange
• Unauthenticated provisioning mode for simplified deployment
• Initial EAP exchange uses “EAP routing realm” or may be omitted in order to prevent sending user identity in clear
• Currently submitted to IETF in Draft formhttp://www.ietf.org/internet-drafts/draft-josefsson-pppext-eap-tls-eap-10.txt
353535© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP Protocols: Feature Support
NoNoYes5NoOTP support
YesNoYes5YesLDAP DB support
YesYesYesYesMS DB support
Cisco/CCXv3 clients4 and
others2
Cisco/CCXv1 or above
clients and others2
XP, 2000, CE, CCXv2 clients3,
and others2
XP, 2000, CE,and others2
Client & OS availability
YesNoYesN/APassword expiration (MS DB)
YesYesYes1Yes1Login scripts (MS DB)
YesYesYesYesSingle sign-on
EAP-FASTLEAPPEAPEAP-TLS
1 Windows OS supplicant requires machine authentication (machine accounts on Microsoft AD)2 Greater Operating System coverage is available from Meetinghouse and Funk supplicants3 PEAP/GTC is supported on CCXv2 clients and above4 Cisco 350/CB20A clients support EAP-FAST on MSFT XP, 2000, and CE operating systems. EAP-FAST supported on CB21AG/PI21AG clients with ADU v2.0 and CCXv3 clients in 1QCY20055 Supported by PEAP/GTC only
363636© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP Protocols: Feature Support
YesYesNoNoApplication Specific Device (ASD) support
NoYes1NoNoOff-line Dictionary attacks?YesYesNoNoFast Secure Roaming (CCKM)YesYesNoNoLocal authenticationYesYesYesYesWPA support
LowLowMediumHighDeployment complexity
NoNoYesYesServer certificates?
Low/MediumLowHighHighRADIUS server scalability Impact
NoNoNoYesClient certificates?
EAP-FASTLEAPPEAPEAP-TLS
1 Strong Password Policy recommended; Please refer to ---http://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
373737© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
EAP Protocol Deployment
• Cisco LEAP Deployment Guidehttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_technical_reference_chapter09186a0080225228.html
• Cisco PEAP Application Notehttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_technical_reference_chapter09186a008025d6ee.html
• Cisco EAP-TLS Application Notehttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/products_white_paper09186a008009256b.shtml
• Cisco EAP-FAST Application Notehttp://www.cisco.com/en/US/partner/products/hw/wireless/ps430/prod_configuration_guide09186a0080262422.html
Cisco Deployment Guides/ Application Notes
383838© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Protected Access
What are WPA and WPA2?
• Authentication and Encryption standards for Wi-Fi clients and APs
• 802.1x authentication
• WPA uses TKIP encryption
• WPA2 uses AES encryption
Which should I use?
• Go for the Gold!
• Silver, if you have legacy clients
• Lead, if you absolutely have no other choice (i.e. ASDs)
Gold
WPA2/802.11i•EAP-Fast•AES
Gold
WPA2/802.11i•EAP-Fast•AES
Silver
WPA•EAP-Fast•TKIP
Silver
WPA•EAP-Fast•TKIP
Lead
dWEP (legacy)•EAP-Fast/LEAP•VLANs + ACLs
Lead
dWEP (legacy)•EAP-Fast/LEAP•VLANs + ACLs
393939© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.11i/WPA Authentication and Key Management Architecture
802.1X (EAPoL)
Authentication Server
802.11
Wireless Station
EAP-TLS
EAP
RADIUS
UDP/IP
Out of scope of 802.11i standardAccess
Point
404040© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Data Protection
802.1X Authentication
Key Management Key Distribution
Capabilities Discovery
802.11i/WPA Authentication and Key Management Overview
AccessPoint
RADIUS
414141© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Purpose of each phase
• DiscoveryAP advertises capabilities in Beacon, Probe ResponseSSID in Beacon, Probe provides hint for right authentication credentialsSTA selects authentication suite and unicast cipher suite in Association
Request• 802.1X authentication
Centralize network admission policy decisions at the ASSTA determines whether it does indeed want to communicateMutually authenticate STA and ASGenerate Master Key as a side effect of authenticationGenerate Pair-wise Master Key (PMK) as an access authorization token
802.11i/WPA
424242© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Purpose of each phase…
• RADIUS-based key distributionAS moves (not copies) Pair-wise Master Key (PMK) to STA’s AP
• 802.1X key managementBind PMK to STA and APConfirm both AP and STA possess PMKGenerate fresh Pair-wise Transient Key (PTK)Prove each peer is liveSynchronize PTK useDistribute Group Transient Key (GTK)
802.11i/WPA
434343© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.11i/WPA Security Capabilities Discovery
Probe Request
Probe Response + WPA IE (AP Supports WEP Mcast, TKIP Ucast, 802.1X Auth)
802.11 Open System Auth
802.11 Open Auth (Success)
Association Req + WPA IE (STA Requests WEP Mcast, TKIP Ucast, 802.1X Auth)
Association Response (Success)
AccessPoint
444444© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
AP 802.1X Blocks Port for Data Traffic
STA 802.1X Blocks Port for Data Traffic
802.1X RADIUS
802.1X/EAP-Response Identity (EAP Type Specific)
802.11i/WPAEAP Authentication Overview
802.1X/EAP-Request Identity
EAP Type SpecificMutual Authentication
RADIUS Accept (with PMK)
802.1X/EAP-SUCCESS
Derive Pairwise Master Key (PMK)
Derive Pairwise Master Key (PMK)
Station (STA)
AccessPoint RADIUS
RADIUS Access Request/Identity
454545© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.1X Key Management
• Original 802.1X key management hopelessly broken, so redesigned by 802.11i
• New model:Given a PMK, AP and AS use it to
Derive a fresh PTKAP uses KCK(EAPOLMIC) and KEK(EAPOLEncr) portions of PTK
to distribute Group Transient Key (GTK)
802.11i/WPA
464646© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.11i/WPA Key Management Overview
RADIUS Pushes PMK from AS to AP
PMK and 4-Way Handshake Derive, Bind, and Verify PTK
Group Key Handshake Sends GTK from AP to STA
AP
AccessPoint RADIUS
ASPMK
474747© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Unicast Keys: 4-Way Handshake
(Reply Required, Unicast, ANonce)
Pick Random ANonce
(Unicast, SNonce, MIC, STA RSN IE)
(Reply Required, Install PTK, Unicast, ANonce, MIC, AP RSN IE)
Pick Random SNonce, Derive PTK = EAPoL-PRF(PMK, ANonce | SNonce | AP MAC Addr | STA MAC Addr)
Derive PTK
(Unicast, MIC)
Install TK Install TK
AP
STA
PMKPMK
802.11i/WPA
484848© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Group Key Handshake
EAPoL-Key(All Keys Installed, ACK, Group Rx, Key Id, Group , RSC, GNonce, MIC, GTK)
Pick Random GNonce, Pick Random GTK
EAPoL-Key(Group, MIC)
Encrypt GTK with KEK
Decrypt GTK
APSTA
PTK PTK
unblocked data traffic unblocked data traffic
802.11i/WPA
494949© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Session Key Explanation
Key Conformation Key (KCK)
EAPOLMICKey
Key Encryption Key (KEK)
EAPOLEncrKey
Temporal Key 1 (TK1)
DataEncrKey
Temporal Key 2 (TK2)
DataMICKey
PTK bits 0-127 PTK bits 256 - 383PTK bits 128 - 255 PTK bits 384 -511
Pairwise Transient Key (PTK), 512 bits
Pairwise Master Key (PMK), 256bits • PMK is derived from
MK• PTK is a collection of
operational keys• KCK: used to prove
posession of PMK and to bind the PMK to the authenticator
• KEK: used to distribute the group transient key (GTK)
• TK1 & TK2: used for encryption and is cipher specific
505050© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WPA Key Hierarchy
• PTK (Pairwise Transient Key – 64 bytes)16 bytes of EAPOL- Encryption key – AP uses this to encrypt GTK while sending GTK
message 1 16 bytes of EAPOL- MIC key – Used to compute MIC on WPA EAPOL Key16 bytes Temporal Encryption Key (DataEncr Key)– Used to encrypt/decrypt Unicast
TKIP MPDUDataMIC Key:8 bytes of Michael MIC Authenticator Tx Key – Used to compute TKIP MSDU MIC on
unicast packet transmitted by AP8 bytes of Michael MIC Authenticator Rx Key – Used to compute TKIP MSDU MIC on
unicast packets transmitted by the station
• GTK ( Groupwise Transient Key – 32 bytes)16 bytes of Group Temporal Encryption Key – Used to encrypt Multicast TKIP MPDU8 bytes of Michael MIC Authenticator Tx Key – Used to compute TKIP MSDU MIC on
Multicast packet transmitted by AP8 bytes of Michael MIC Authenticator Rx Key – This is currently not used as stations do
not send multicast traffic
515151© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
TKIP: per packet Key Mix
Phase1 = Phase1-Mix(PTK_Enc, TA, Upper IV[32bits])Phase 2 = Phase2-Mix(PTK_Enc, Phase1, Lower IV[16bits])
CiphertextCiphertextXORXOR
PlaintextPlaintext
MixerMixer
PMKPMK IVIV
Key StreamKey StreamWEPWEPPacket KeyPacket Key
Xmit MACXmit MAC
Phase 1 KeyPhase 1 Key MixerMixer
32 bits
16 bits
525252© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Michael MIC → protects MSDUs
DA SA Payload MICKey
MICMIC
8 byteMIC
Michael message processingInput: Key (K0, K1) and message M0,...,MNOutput: MIC value (V0, V1)MICHAEL((K0, K1) , (M0,...,MN))(L,R) ← (K0, K1)for i=0 to N-1
L ← L ⊕ Mi(L, R) ← b( L, R )
return (L,R)
Michael block functionInput: (L,R) Output: (L,R)b(L,R)R ← R ⊕ (L <<< 17)
L ← (L + R) mod 232
R ←R ⊕ XSWAP(L)L ← (L + R) mod 232
R ←R ⊕ (L <<< 3)L ← (L + R) mod 232
R ←R ⊕ (L >>> 2)L ← (L + R) mod 232
return (L,R) •Weak MIC: 20bits of security, 64bit tag•Cheap to implement: 1.5 cycles/byte
535353© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Michael MIC Countermeasures
• If an active attack is detected:–delete PMK and PTK. This prevents the attacker from learning anything about those keys from the MIC failure.–log event. A MIC failure is an almost certain indication of an active attack, and warrants a follow-up by the system administrator.–- MIC failure rate must be less than one per minute. New keys must not be generated if devices frequently receive packets with forged MICs. The slowdown makes it impossible for the attacker to make a large number of attempts in a short time.
• Check CRC, ICV and IV before verifying the MIC. MPDUs with invalid CRCs, ICVs, or with whose MPDUs’ IVs falling before the IV window shall be discarded before checking the MIC to avoid unnecessary MIC failure events.
• MIC countermeasures can be disabled on the Cisco Access Points
545454© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WPA-PSK
• WPA-PSK becoming somewhat popular recentlyAvailable on some handhelds, esp. Symbol
Advantage: unique per-client, temporal keys
Disadvantage: PSK shared across all clients (similar key management issues with static WEP)
• WPA-PSK does not function on Distributed Architecture with AAA MAC auth
• Make sure that customers are aware of Dictionary Attack potential with WPA-PSK
PSK may be set explicitly as 64 Hex character or with “passphrase”which uses a well-known expansion to generate PSK
Brute force attack on 256 bit key is non-trivial
Strong passwords should be used if utilizing “passphrase”
555555© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Pre-shared Key (PSK) Authentication Overview
Data protection
Enhanced 802.1X key mgmt (generate and install PTK and GTK)
802.11 security capabilities discovery
Wireless Station
PSK pre-programmed
in the AP and the STA
802.11i/WPA
565656© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WPA and WPA2 Comparison
Authentication: PSK
Encryption: AES-CCMP
Authentication: PSK
Encryption: TKIP/MIC
Personal Mode
(SOHO, Home/Personal)
Authentication: IEEE 802.1X/EAP
Encryption: AES-CCMP
Authentication: IEEE 802.1X/EAP
Encryption: TKIP/MIC
Enterprise Mode
(Business, Education, Government)
WPA2WPA
575757© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IEEE 802.11i
• Ratified June 2004• Defines security standards for wireless LANs • Details stronger encryption, authentication, and key management
strategies for wireless data and system security• Required hardware accelerator chip in radio• Includes the following:
Two new data-confidentiality protocols – TKIP and AES-CCMP Negotiation process for selecting the correct confidentiality protocolKey system for each traffic typeKey caching and pre-authentication
• Official announcement from IEEE http://standards.ieee.org/announcements/pr_80211iv1.html
585858© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
AES Encryption• Encryption standard defined by NIST (National Institute of Standards
and Technology) to replace DESThe ‘Gold’ standardHardware encryption vs. software encryption
• Replaces RC4 encryption in IEEE 802.11i (CCMP w/AES replaces TKIP w/RC4)
128 bit symmetric cipher, 48 bit Initialization VectorCCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol)
• Requires hardware acceleration, or the overall performance of an11Mb radio will be unacceptable
• Facilitates government FIPS 140-2 compliance Note: 802.1X is not FIPS compliant
595959© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Centralized Solution FIPS 140-2 Key Management
RAD KeywrapAES-SHA-12. RAD distributes
PKM to ControllerPMK
PMKPMK1. EAP-TLS client-server auth &PMK derivation
LWAPP802.1X-EAPOL
802.1XEAP
RADIUSEAP Transport
PTKLWAPP AES-CCM
PTK 802.11iAES-CCMP (128b)
4. Controllerdistributes PTKto AP
3. Controller andsupplicant derivePTK = KCK, KEK & GTK
PTK PTK
FIPS CompliantSupplicant
FIPS CompliantRADIUS
FIPS WLAN ControllerFIPS Aironet AP
Cisco Centralized Wireless LAN Solution
(802.11i Client/Server Security)
802.11iAES-CCMP (256b)
Vendor interoperable
606060© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco Wireless – Guarding the Air Space for the United States Military Academy
616161© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco ACS AAA server
WAN Wireless Domain Server(WDS)
Client 802.1X authenticates with AAA server
Master key is cached on WDS, and sent to the AP where it is used to derive a session key for AP1, and client
Client and AP2 generate new encryption keys
AP1
NOTE: Because the WDS handles roaming and re-authentication, the WAN link is not used
Improving Secure Roaming Latency –Cisco Centralized Key Management
APs 802.1X authenticate to the RADIUS server – via the WDS
APs establish secure connection to WDS
Client indicates to AP2 it is roaming from AP1
WDS securely sends client’s master key to AP2
AP2
626262© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco Centralized Key Management (CCKM)
Feature Description:
Benefit:
• CCKM–Cisco Centralized Key Management protocol enables fast 802.1x reauthentication
• CCKM support available for the following 802.1x EAP types• EAP-LEAP• EAP-FAST
• Fast re-authentication with CCX version 2 clients (important for clients not supporting WPA2)
• Provides a survivability benefit in that it permits client roaming/reauthentication even when the network link between the Controller and RADIUS server is down
• EAP-PEAP-GTC *• EAP-TLS
• EAP-PEAP-MSCHAPv2*
* Optional for ASD
636363© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Controller CCKM Support
• Architecturally very similarto PKC
• Client must be CCKM-capable (RN + MIC sent in reassoc req)
• CCKM Cache is maintainedon each controller
• Controller mobility group automatically/proactivelyexchanges NSK
• TKIP/AES encryption supported with CCKM
Initial Authentication
NSK Derived
NSK used in 4W Handshake
NSK Proactively cached on new controller
Reassociation Request (RN + MIC)
Reassocation Response
NSK used in 4W Handshake
Client Roam
646464© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
CCKM vs. PKC
• CCKMCCX version 2 clients (LEAP)
CCX version 4- support with other EAP types (EAP-TLS, PEAP)
7920/ PDA’s/ WinCE
“Pre-standard” Fast Secure Roaming solution
• PKCUbiquitous support for WPA2/AES clients
Any EAP type
656565© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.11i PMK Caching
• Whenever an AP and a STA have successfully passed dot1x based authentication, both of them may cache the PMK record to be used later
• When a STA is going to (re-)associate to an AP, it may attach a list of PMKIDs (which were derived via dot1x process with this AP before) in its RSNIE in the (re-)association request frame
• When PMKID exists in STA’s RSNIE, AP can use them to retrieve PMK record from its own PMK cache, if PMK is found, and matches the STA MAC address. AP can bypass dot1x authentication process, and directly starts WPA2 4-way key handshake session with the STA
• PMK cache records will be kept for 1 hour for non associated STAs
• Enable PMK caching to bypass 802.1X Authentication
666666© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
802.11i With Very Fast RoamingProactive Key Caching (PKC) Reduces AAA Exchanges
PMK = X
Client A XPMK Cache
RADIUS Server
“Access Challenge” sent to RADIUS server via
Airespace WLAN
“Access Accept”Master Key Generated
Client A Four-way Handshake802.11i Encrypted Link
Four-way Handshake
802.11i Encrypted Link
676767© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WPA2/ EAP Supplicant availability
• Native Windows SupplicantWPA supported with Windows XP, note that patch is required for WPA2 compatibility- XP SP2 does NOT support WPA2
• Cisco 350 and CB20A ClientWPA supported with Aironet Client Utility (Win2K, WinXP) using LEAP or EAP-FAST
Microsoft WPA or 3rd party supplicant must be used for WPA with other EAP types
No WPA2/AES support
• CB21AG / PI21AG Clients WPA supported for all EAP types on both Windows 2000 and WindowsXP platforms
LEAP, EAP-TLS, PEAP/MS-CHAPv2, and PEAP-GTC (EAP-FAST in ADU v2.0)
WPA2/AES supported in ADU v2.0
686868© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WLAN Security Authentication and Encryption Summary
• WLAN Security encompasses both authentication and encryption and both components are mandated by WPA
• Care should be taken to ascertain that the chosen EAP authentication type employed is compatible with authentication database
• WPA provides both dynamic, per-packet keying in addition to key authentication/ message integrity
• WLAN Client capability/ availability must be considered when choosing WLAN authentication and encryption options
696969© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Centralized System Security Highlights
• X.509 certificates guarantee identityZero touch, if desiredAP must prove identity through unique private keyAP’s identity is validated and authorization check is performed
Only APs you want are allowed in
• Zero false positives on AP impersonationTrusted MAC address is not sufficient
Hacker steals trusted MAC address and runs Host APBoth over the air and wire
• LWAPP protocol peer reviewAirespace FIPS-140-2 level 2 certification (prior to merger)
Including LWAPP Key DistributionLWAPP specification publicly available for > 2 years
707070© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
LWAPP Architecture
• The Light Weight Access Point Protocol (LWAPP) is used between an AP and a WLAN Controller.
• LWAPP provides benefits to secure deployment and operation of WLAN APs
Permits authentication of AP and encryption of AP control dataPermits centralization of traffic and simple traffic policing
LWAPP
Control traffic between Access Point and controller is authenticated and encrypted
AES-CCM encryptedcontrol channel
717171© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
LWAPP AP Switch Discovery Process
AP DB
New AP is installed – PSK is configuredAP Generates self signed certificate
LWAPP Join Request
RADIUS Validates public key andserial numberAP Authorization
Access-Accept
LWAPP Join Response
Service is provided
ACS Server
Secured LWAPP Channel
Admin saves public key and serial number& Configures RADIUS Server
727272© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
LWAPP Switch Discovery
• AP discovers switch via L2 or L3, checks image and downloads configuration
LWAPP AP does not retain any configuration data
• As part of authentication process, LWAPP AP is provided a new key used to encrypt control traffic
AP must prove identity through unique private key (X.509)
Key used to encrypt AP control data
ClientX.509
Certificate
ServerX.509
Certificate
737373© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Centralized Wireless LAN Deployment-Wired Security Features
• Basic security features on the wired switches to consider:WLAN “mapping” permits extension of wireless policy to wired network
Isolated VLANs for WLAN deployment
Layer 2 to Layer 4 ACLs may be applied
• Advanced security features on the wired switches to consider, especially applicable to wireless
DHCP Snooping: To protect against rogue/malicious DHCP server
Router ACLs and VLAN ACLs
RP Rate Limiters: To prevent DoS attacks using “bogus” traffic (Example: ICMP ping requests from bogus IP addresses)
TCP Intercept: Can be used to prevent TCP SYN flooding attacks
747474© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Mapping Wireless Security Policies to the Wired Network
• Multiple WLAN Security PoliciesData vs Voice vs Legacy devices vsGuest access
VLAN to SSID mapping
• Mapping WLAN Security policies to Wired security policies
Use L2 to L4 ACLs on the wired side to reinforce WLAN security policies
• Wired network IntegrationUse security features on the interface which terminates wireless traffic
AP Channel: 6SSID “Data” = VLAN 1SSID “Voice” = VLAN 2SSID “Visitor” = VLAN 3
To Distribution Layer
757575© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Wireless Security Policy assignment
• Centralized architecture provides a consolidated point for policy enforcement
• Policy may be based on:WLAN SSID accessed
Associated AP (i.e. location)
User authentication
Client device security “posture” (i.e., NAC)
767676© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
What is Wireless IDS?
• Wireless Intrusion Detection permits the detection of malicious or non-malicious security events on the WLAN
Rogue AP detection
Denial-of-Service detection
WLAN Exploit Signature Analysis
RF Interference detection
• Detection of attempts to access WLAN network and attempts to attract managed clients (honeypot)
• Wireless IPS- Intrusion Prevention System
777777© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Why Wireless IDS Matters?
• Ongoing monitoring of 802.11 network to detectUnauthorized/ Rogue Access Points
Active attacks- Denial of Service (DoS) or specific tools
Incorrectly configured Access Points and Clients
• Wireless IDS has become an evolving technology areaWLAN media is unlicensed and 802.11 compatible hardware may be easily and economically obtained
Attack tools are more prevalent/ easily acquired
Requirement to monitor for these specific types of attacks or tools (NetStumbler, FakeAP, Wellenreiter, AirJack, Asleap, etc.)
Manual containment (alert the administrator and let him choose acourse of action) vs Auto containment
787878© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Integrated vs Overlay IDS Architectures
IDS Overlay Sensor Network
WLAN Switch
IDS Appliance
Sensor 1 Sensor 2
797979© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Integrated vs Overlay IDS Architectures
• 100% network coverage (no hidden nodes)
• No extra hardware costs (sensors/IDS appliance)
• Single NMS (Cisco Wireless Control System)
• LOCATION ENABLED
Integrated IDS Architecture
Cisco WLAN Controller
Cisco 1000 Series APs
808080© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
A Complete Solution for Handling Rogues
4. View Historical Report
2. Assess Rogue AP (Identity, Location, ..)
1. Detect Rogue AP(generate alarm)
3. Contain Rogue AP
• Can be automated• Multiple rogues contained
simultaneously• ACS validates that no valid
clients are associate to rogue
818181© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco WLAN Security Components
1) Identity Networking
• Mutual authentication• Strong encryption• User policy enforcement• (AAA, ACL’s, QoS contracts)
3) Secure RF Mgmt
• RF bleed-over protection• Coverage hole correction• Interference avoidance• Hi-res location tracking
5) Network Access Control• Host-based integrity
checking• Anti-virus protection• Client remediation
2) Intrusion Protection• Rogue detection & location map• IDS attack signatures• Client exclusion & containment• Hi-res location tracking
4) Secure Enterprise Mobility• “Follow-me” VPNs• Pro-active Key Caching (PKC)• Fast Secure Roaming
828282© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IDS Components
• Wireless IDS may be deployed in either Dedicated or Integrated manner
• With “Integrated” deployment, it is necessary to time-share between 802.11 service and intrusion-monitoring
This may preclude detection of some intrusion events and rogue AP tracking
Dedicated WIDS server may provide additional capabilities in intrusion analysis
NOTE: It is possible to deploy a “hybrid” WIDS system which employs dedicated monitor devices, without a complete network overlay
WLAN Controller(or aggregation point)
Access Point
Integrated WIDS
WLAN NMSw/IDS function
RF Monitor/Scanning-mode AP
Dedicated WIDSDedicated WIDS
Server
838383© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Radio (Air/RF) Monitoring
Network Core
Distribution
Access
SiSi
SiSi
SiSi
Rogue AP
Rogue AP
SiSi
RM
RMRM
SiSi
Wireless Controller or IDS Server WDS Service
(aggregation point)
848484© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Rogue AP detection
• Rogue AP Detection has multiple facets:Air/RF detection- detection of rogue devices by observing/sniffing beacons and 802.11 probe responses
Rogue AP location- use of the detected RF characteristics and known properties of the managed RF network to locate the rogue device
Wire detection- a mechanism for tracking/correlating the rogue device to the wired network
• A WIDS may require different deployments to effectively address all of these facets
For example, it is typically required to use a scanning-mode AP as a “rogue traffic injector” to attempt to trace the rogue’s connected port
858585© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Rogue AP Detection & Suppression
• Rogue AP detection methodologyWLAN system collects (via beacons and probe responses) and reports BSSID information
System compares collected BSSID information versus authorized (i.e. managed AP) BSSID information
Unauthorized APs are flagged and reported via fault monitoring functionality
• Rogue AP suppression techniquesTrace the rogue AP over the wired network and shut-down the switch port
Use of managed devices to disassociate clients from unauthorized AP and prevent further associations via 802.11 deauthentication frames
868686© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WIDS 802.11 Traffic Analysis
• Potentially service-impacting 802.11 (or non-802.11) traffic should be characterized/ detected
Interference (white noise, Bluetooth, legacy 802.11, or other ISM-band interferers)Denial-of-Service exploits (association, probe, EAP)Reconnaissance tools (Netstumbler, etc.) Exploit tools (Monkey-Jack, FakeAP, etc.)
• Note that 802.11 Management Frames- association/ authentication/ probe are not encrypted or authenticated in current implementation
Thus, it is not possible to eliminate the possibility of Denial of Service attacksThe severity of such DoS events should be characterizedMechanisms for securing 802.11 control messages are being considered, but will induce compatibility challenges
878787© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WIDS Signature Analysis
• Per-packet examination of WLAN protocols
• Seek specific pattern in WLAN data payload
• Note that it may also be useful to characterize the signature traffic- i.e., source, rate, time, etc.
• Requires that database of known WIDS be maintained
NOTE: Supported with Cisco LWAPP deployment
888888© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WLAN Attacks & Standard Signature
• Bcast Deauth
• NULL probe resp 1
• NULL probe resp 2
• Assoc flood
• Reassoc flood
• Probe flood
• Disassoc flood
• Deauth flood
• Res mgmt 6 & 7
• Red mgmt D
• Res mgmt E & F
• EAPOL flood
• NetStumbler 3.2.0
• NetStumbler 3.2.3
• NetStumbler 3.3.0
• NetStumbler generic
• Wellenreiter
• FakeAP
• AP impersonation
• Spoofed deuathentication frame
• FATA-Jack
• Honeypot AP
• Monkey JackMan in the middle
• Management frame flood
• Broadcast deauthenticate frame
• EAPoL Flood
• NetStumbler
• Wellenreiter
• Null Probe Response
• Valid stations, invalid SSID
• Invalid OUIs
• WEP Weak IV detection
898989© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WIDS Rogue Containment
• In addition to detection of unassociated client devices, an active mechanism for containing unauthorized wireless devices is desirable in many cases
• It is possible to issue 802.11 deauthenticationpackets with “spoofed” source address to disconnect clients from rogue device
Care should be taken in employing active session/ device termination trafficMay be service impacting to managed network or neighbor networksNumber of APs for containment is configurable; maximum of 3 concurrent containments per AP
NOTE: Supported with Cisco LWAPP deployment
909090© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
WIDS Client Exclusion
• Client Exclusion Policy may be used to exclude client from WLAN network
No response is issued to excluded client probe requests
• Client exclusion may be triggered by the following802.11 authentication/ association failure802.1X authentication failureIP reuseWeb auth failure
• Client exclusion may also be manually invokedConfigurable timer or client may be indefinitely excluded until manually removed from exclusion list
NOTE: Supported with Cisco LWAPP deployment
919191© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco Autonomous AP Implementation
• Integrated Wireless IDS deployment Active 802.11 Access Points collect RF data while serving 802.11 clients, with two possible configurations:
1) AP configured for a specific channel and can collect data for that channel while serving clients
2) AP configured for a specific channel may jump to other channels (i.e. non-serving channel) while idle to collect RF information
• Dedicated Wireless IDS deploymentAP functions as a dedicated sensor to scan all channels for 802.11b/g and/or 802.11a traffic
Specialized IDS functions available via dedicated mode:
Unassociated client and wireless MAC spoofing
Man-in-the-middle attack detection (TKIP/AES-CCM replay, MIC failure)
Excess management frame and EAPOL flood detection
Supported with WLSE 2.7 and 12.2(15)JA release and later
929292© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
LWAPP WIDS Implementation
• Integrated Wireless IDS deploymentWLAN services 802.11 traffic and provides most IDS functions
• Dedicated/hybrid Wireless IDS deploymentLWAPP APs may be deployed in one of 3 modes:
Local- serves 802.11 traffic & monitorsMonitor- monitors 802.11 traffic on all channelsRogue Detector- monitors wired + 802.11 traffic
Monitor mode permits full-time monitoring of all 802.11 channels for Signature detection, etc.Rogue Detector mode permits wired network correlation of rogue AP devices (via ARP sniffing)
939393© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LWAPP: Locate Rogue AP (High Resolution)
949494© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LWAPP:Map Rogue AP
959595© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LWAPP:Rogue Containment
• Rogue AP, rogue client, or Ad-hoc client may be contained by controller issuing unicastdeauthentication packets
Maximum number of APs participating in containment is configurable
Maximum of 3 concurrent containments may operate on a single LWAPP AP
Containment policy may be set to “alarm only” or “auto contain”
Rogue client devices may be authenticated to a RADIUS (MAC address) database
Maximum time for auto-containment is configurable
969696© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LWAPP:Rogue AP Detection and Containment
979797© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco LWAPP:Monitor > Wireless > Rogue APs > Edit
989898© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
2 APContainment
Spoof BroadcastDeauthentication
Rogue Containment
Rogue AP
AP
Controller
Spoof BroadcastDeauthentication
999999© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
NEW-Cisco IDS/IPS Sensor Integration- Client ShunningWLC 4.0 Release
999999
100100100© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco Unified Wireless Network Software Release 4.0
• Security : Cisco Unified IDS/IPS
• Cisco is the 1st vendor to provide and integrated wireline and wireless security solution
Supports and compliments the Cisco Self-Defending Network
Cisco leads the industry with a holistic approach to security – at the wireless edge, wired edge, WAN edge through the data center
When a trusted client acts maliciously (i.e. tries to hack into personnel or financial servers), Cisco’s IDS detects the attack and initiates a “Client block” or shun requests which may be initiated by WLAN controllers
101101101© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Cisco Intrusion Prevention SystemStops Worms and Malicious Traffic
Cisco Intrusion Prevention System v5.0Cisco Intrusion Prevention System v5.0
Accurate Inline Prevention Technologies
Increases accuracy and confidence for inline mitigation actions
Multivector Threat IdentificationAchieves maximum attack
identification via multiple analysis techniques
Comprehensive Deployment SolutionsProvides a range of reliable high
performance solutions
Unique Network CollaborationLeverages the network for enhanced scalability and
resiliency
102102102© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IDS Event and Client “Shunning”
• Upon trigger of IPS system, e.g., from a known type of exploit (Nimda, Sasser, TCP stack exploit, etc.), activate a “Shun” or client block event
• A shun event can be invoked either inline or offlineWireless “shun” is invoked at controller via offline mechanism
Controller periodically (configurable interval) polls CIDS for client block event
• Invokes client exclusion (blacklisting) at Cisco Controller
Client remains in blocked state until CIDS removes block & exclusion times out at controller
103103103© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Adding the Cisco IDS Sensor in Controller
TLS “fingerprint” from Cisco IDS sensor is used to encrypt the communication between the Controller and polled sensor
104104104© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IDS Detection Event
As a result of Signature Detection, a “Client Block” may be requested as the event action from the IDS sensor
105105105© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IDS event and Client Shunning
Cisco Controller
Wired IDS4200 Series IDS Sensor
1
2
1. Client to AP/Controller2. Controller to IDS (sensor monitoring controller wired interfaces)3. Client Block event at sensor, retrieved by Controller
Deep Packet Inspection
3 Shun
Malicious traffic
Enterprise Network
106106106© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
IDS Host Block/ Client Shun
Client Blocking/ Client Exclusion Event
107107107© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Management Frame Protection
107107107
108108108© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Management Frame Protection (MFP)
Problem: There’s no “physical security” for Wireless & management frames are not authenticated, encrypted, or signed
Solution: Insert a signature (MIC) into the management frames–AP beacons–Probe Requests/Responses–Associations/Re-associations–Disassociations–Authentications/De-authentications–Action Management Frames
Managed AP1MAC addr A.B.C.DAttacker spoofing AP1
MAC addr A.B.C.D
Disassociation
•If Management Frames do not have a valid signature, infrastructure can alert/discard and clients will be able to discard
Signature?
NO= Discard
109109109© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Management Frame Protection Function
• A solution for clients and infrastructure (APs)
• Clients and APs add a MIC (signature)into every management frame
• Anomalies are detected instantly andreported to Controller/WCS
E.g. no threshold or rate checks required to detect anomalies
MFP Protected
MFP Protected
FUTURE- CCXv5
110110110© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
What are the benefits of MFP?
• Protection- for Rogue AP, Man-in-the-Middle exploits, other Management Frame attacks
• Prevention- will be available with clients capable of decrypting the signature
• Integration with other Cisco Security Monitoring solutions in order to characterize “attack vectors”-rules based correlation
• Cisco Security Leadership and Innovation
111111111© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
MFP Anomaly as Detected by Controller
•Invalid MIC•Invalid Timestamp/Sequence Count•No MIC•Unexpected MIC•Number of anomalies detected•BSSID of anomaly•IP Address/BSSID/interface on which the anomaly was detected •Frame subtype(s) which had detected anomalies•Period over which this event is reporting
112112112© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Summary
• WPA, WPA2, or Cisco TKIP along an EAP protocol solution is recommended for WLAN security deployment
Choose the best EAP protocol the suits your deployment environment
Consider making a trade-off between security strength versus ease of deployment
• Segment wireless network along the same lines as wired network and use the same access restrictions
• Implement wired security features as well as Wireless IDS to detect wireless intrusion as well as protecting the network against Layer 2+ exploits
• Enable Security Policy Monitoring with WLAN ManagementEnable WIDS features with the appropriate WLAN deployment according to the WIDS needs in your deployment
Proactively monitor and respond to security threats
113113113© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
114114114© 2005 Cisco Systems, Inc. All rights reserved.WLAN_Sec
Reference URLs
• Cisco Aironet Security Web sitehttp://www.cisco.com/en/US/netsol/ns339/ns395/ns176/ns178/networking_solutions_package.html
• WEP Vulnerabilitieshttp://www.cs.umd.edu/~waa/class-pubs/rc4_ksaproc.pshttp://www.cs.rice.edu/~astubble/wep/wep_attack.pdfhttp://airsnort.sourceforge.net/
• Cisco Response to Dictionary attacks on Cisco LEAPhttp://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtmlhttp://www.cisco.com/en/US/products/hw/wireless/ps430/prod_bulletin09186a00801cc901.html
• Latest CCX Informationhttp://www.cisco.com/en/US/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
• Cisco ACS deployment guide for WLAN networkshttp://www.cisco.com/en/US/products/sw/secursw/ps2086/products_white_paper09186a00801495a1.shtml